The IAO will ensure the SAN is configured to use digital signatures or a proprietary method (not based on PKI) to ensure that the switches and other SAN fabric components can verify that they are speaking to an anothorized fabric member. This will ensure that rogue devices cannot be inserted and autoconfigured which is a feature of many SANs.

From Storage Area Network STIG

Part of Fabric Switches do not have mutual authentication

Associated with IA controls: ECNK-1

SV-6753r3_rule The IAO will ensure the SAN is configured to use digital signatures or a proprietary method (not based on PKI) to ensure that the switches and other SAN fabric components can verify that they are speaking to an anothorized fabric member. This will ensure that rogue devices cannot be inserted and autoconfigured which is a feature of many SANs.

Vulnerability discussion

Switch-to-swich managment (ICL) traffic does not have to be encrypted. The requirement is for the switches to have a method for authenticating to each other. Brocade and possibly other vendors have a proprietary way of doing this and it is acceptable. This must be turned on and configured such that a rogue switch cannot be inserted and be autoconfigured to joint the fabic. The intention is to have the fabrics use digital signatures or some other means to verify that they are communicating with an authorized SAN device.

Check content

The reviewer will, with the assistance of the IAO/NSO, verify that all fabric switches are configured to use a mutual authentication.

Fix text

Develop a plan to reconfigure the SAN fabric switches to use mutual authentication between switches. for SANs that process sensitive information. Obtain CM approval for the plan and then implement the plan.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer